Inside-Out Firewalling

The deployment of perimeter firewalls is the most fundamental element of any business network. Most organizations have outside to inside (outside-in) firewalling that prevents all but a limited range of legitimate traffic into the "demilitarized zone" (DMZ) or internal networks. The obvious benefit of this is that outside-in firewalling protects the company from attacks that originate from the outside. Ports that are typically opened are HTTP and secure socket layer (SSL) for Web traffic, domain name service (DNS) ports for resolution of IP addresses, e-mail ports, remote access connections, and a handful of other necessary business-to-business communication (file transfer or virtual private network) protocols.

Add a note hereHowever, the adoption of inside to outside (inside-out) firewalling is not as prevalent. Many companies have limited or no inside-out firewall rules, thus allowing broad access for outbound connections from within their corporate network to the outside world. A cost-efficient way to hinder the effectiveness of malware significantly is to focus on implementing inside-out firewalling. You already own the firewalls, so stretch your investment dollars by configuring them to enable the following:

§  Add a note hereBlock viruses from spreading from one segment of your network to another or from your network to other companies, thus limiting your liability and containing the exponential propagation of the virus.
§  Add a note hereLimit the ability for automated attacks to download more tools from the Internet.
§  Add a note herePrevent spyware, zombies, or bots from establishing contact or sending data to their controllers (person or group who collects or controls the malware).
§  Add a note hereEnforce stronger end-user policies to limit business-only access from inside your network to the Internet. This in turn should lower your infection rate as well as curb undesirable, unproductive, and potentially malicious behavior.

Add a note hereTo facilitate inside-out firewalling, activate firewall monitoring to see the range of traffic going to the Internet from your network. You will be surprised to find the amount of nonbusiness-related and potentially malware-associated activities traversing your perimeter. From the firewall logs, establish and enforce your policies around a limited range of business- and IT-sanctioned activities such as Internet browsing, DNS resolution, network time protocol (NTP), and so on.

Add a note hereInside-out firewalling is not a silver bullet, but rather another layer of defense that you can leverage without additional hardware. Sophisticated malware writers still get around these controls by tunneling their traffic through legitimate inside-out ports such as HTTP or even SSL. Talk to your firewall vendors about how your specific firewall can counter the inside-out threats that use legitimate ports.

No comments: